CVE-2026-42233
SQL Injection in n8n Workflow Automation Platform
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.32 (exc) |
| n8n | n8n | 2.18.0 |
| n8n | n8n | From 2.17.0 (inc) to 2.17.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to inject arbitrary SQL and exfiltrate data from the connected Oracle database. This unauthorized data access could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal and sensitive data to prevent unauthorized disclosure.
Specifically, if sensitive or personal data governed by these regulations is stored in the affected Oracle database, exploitation of this flaw could result in non-compliance due to data breaches or unauthorized data exposure.
Can you explain this vulnerability to me?
This vulnerability exists in the n8n workflow automation platform, specifically in the Oracle Database node's select operation. Before certain fixed versions, user-controlled input passed into the Limit field via expressions was directly inserted into the SQL query without proper sanitization or parameterization.
Because of this, if external input (such as from a webhook) is passed into the Limit field, an attacker could inject arbitrary SQL commands. This could allow the attacker to extract data from the connected Oracle database.
The issue has been fixed in versions 1.123.32, 2.17.4, and 2.18.1 of n8n.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform SQL injection attacks on the Oracle database connected to the n8n platform.
As a result, an attacker could exfiltrate sensitive data from the database, potentially leading to data breaches.
Such unauthorized data access could compromise the confidentiality and integrity of your data and systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade n8n to one of the patched versions: 1.123.32, 2.17.4, or 2.18.1.
Avoid passing external or user-controlled input directly into the Limit field of the Oracle Database node's select operation until the upgrade is applied.